Blog Image

OAuth 2.0 :A Framework to delegate Authorization  

Hi every one this is SMRUTI today am going to gives a short description on OAuth 2.0 authorization protocol.

OAuth 2.0 is developed by the IETF OAuth Working Group, published in October 2012.

So before going to discuss about OAuth 2.0 let?s discuss something about Enterprise security which is the basic fundamental of implementing any security.

Let us discuss some basic terminology which are use very commonly while implementing any web application security these are

Authentication, Authorization, Data Integrity and Confidentiality.

So here am just give short description on these terminology

Authentication: Authentication is nothing but it is a process of validating or identifying the user that?s why user must and should provides its username and password.

Authorization: Authorization is nothing but process of validating access permissions or we can say that access scope area of an user. That means Authorization provides the information whether a particular resource is permittable for accessing by a specific user or not based on the roll of the user.

Data Integrity: Data Integrity is the process of ensuring that whatever the data transfer in between the client to server should not be changed during transformation by implementing the Secure Socket Layer(SSL).

Let?s discuss what is SSL?

During the business on the web there may be chance of hacker might be steal our sensitive data related to customer like customer bank id, password etc. that?s why SSL comes into picture SSL stands for Secure Socket Layer. It?s a standard security technology, which is used for communication between user and server based on some encryption format and in server side it dis-encrypted user information like username, password, card information etc. SSL is a secured gateway through which an user can send his/her sensitive information in secured way. SSL is implemented in million website for protecting online transaction and customer information. SSL is used for encrypted the user credential and business credential. SSL is the world strongest encryption mechanism which is provides a critical layer of security. The SSL promises us ?protect your customer and protect yourself?.


Confidentiality: Confidentiality is the process of ensuring that no one except intended user is able to understand our information this confidentiality can be achieve by data secrecy or by using some encryption mechanism.

Along with that there are several authentication mechanisms are there:

BASIC, DIGEST, Form-based, Https client-cert.

Here am just giving short information on these authentication mechanisms.

Because before going to OAuth you must and should have some little bit knowledge on authentication mechanism.

BASIC is an authentication mechanism which is provided by HTTP 1.1.

It is the most simplest and commonly used Authentication mechanism.


DIGEST AUTHENTICATION MECHANISM:

It is exactly similar to BASIC AUTHENTICATION MECHANISM except the password is sending in encrypted format, which makes it more secured compare to BASIC.

FORM-BASED AUTHENTICATION MECHANISM:

This mechanism is exactly similar to Basic authentication mechanism, but only difference is instead of depending on browser's dialog box, we can provide our own login form. Developer is responsible for provide login and error pages, so that we can customize LOOK according to our requirement.

HTTPS CLIENT-CERT AUTHENTICATION MECHANISM:

This is most secure authentication mechanism and it is most commonly used in real time. HTTPS means Http over secure socket layer.

                      HTTPS=HTTP+SSL

OAuth 2.0:

Lets discuss what OAuth 2.0? why everyone is using it in internet?

OAuth 2.0. is basically an open standard for access delegation, it is not for authentication only it is also for access delegation basically it delegate your authentication information some other source. It?s an Authorization standard.

When we access a secured application it first verify our identity by login us and then it ensure that we access only that data and functionality of the application which we are authorized for, so the basic requirement are identity and permission or authentication and authorization.

OAuth is an authentication and authorization standard which allow an application to gain the access to user data in an another application without knowing the user id and password at all at the second application.


Here the user which is using the application A and application A wants some data which is Application B has which is related for the user. Instead of user sharing his user id and password of application B with A through OAuth the application A will redirect he request to application B for login and from that point of time Application B has shared a security token with the Application A using which these two application are communicate with each other, and application A will get all the required information related to an user from application B has.

Lets take an example our most popular website ?Sriman java group? suppose you are reading some article or blog kind of thing and you are interested to give your opinion or some comments on comment section to do this Sriman java group wants you as an end user you authenticate yourself first by logging in, instead of you register yourself in Sriman java group, the Sriman java group used services provided by google+ and facebook because most of us has a facebook account and google+ login, that why Sriman java group people redirect to you a google+ or facebook login page and after the visitors login

itself then google+ and Sriman java group will communicate and share the user credential. This is the process of one application using the other application to login or to authenticate is called federated authentication, which is one of the important part of OAuth standard.


Sriman java group registers with google+ and facebook and gets a client ID.

http://googleplusapi.com/oauth?client_id=srimanjavagroup&state=485693567&redirect_uri=sriman...

 

When the user is accessing or trying to comment on any Blog or article of our Sriman Java Group it will redirect him to the google+ or facebook website, and goole+ will generate a client id(like client id=Sriman java group) and state(state=123456089) which is unique code and atomic in nature which is Sriman java group generate and which is current session state of the user. So when access comes back to the Sriman java group when user login it will put the user back to this particular session state and the final parameter which is URL which google redirect to Sriman java group, once the authentication is completed.

Then user enter the login information in the google page then google with authenticates him and redirects back to the using this URL(http://srimanjavagroup.com/state=485693567&code=121212) along with the state which is Sriman java group has forwarded as one of the query parameter and along with the code which is google generate.

Sriman Java Group- code=121212ągoogle

And then Sriman Java Group take that code from the state and send one more http request to the google, and google return back a unique token and from that token Sriman Java Group will send any number of request to the google to get the user information and the user allow to access Sriman Java group on facebook or google.




ąThe one more important terminology is delegated Authorization

For example

Lets say you use a site for file your income tax retains on online and at the end of the day it produces a bunch of tax retain documents which it allow to save in your google drive.

You as an end user you share your google username and password with the tax website, you redirect this tax website by using OAuth to google login page and will enter your google username and password and from that point the tax website is able to access your google drive through google security token and it only access your google drive not your google mail, photos and google docs. This process of authorization is called delegated authorization.

The current version of OAuth is OAuth 2.0, which is very popular version.

https://oauth.net/2/


OAuth defines some standard rules that?s why any application can be a part of that flow to do the federator authentication and delegated authorization.

ądata access without sharing username and passwords within every application.

1)federated authentication

2)delegated authorization

There are four different roll in entire OAuth lifecycle

1. Resource owner

2. Resource server

3. Client

4. Authorization server


ąThis is all available implementation of OAuth in various languages. In java there is an implementation of spring security and Apache-CXF has a complete support for OAuth 2.0.


Regards

Smruti Prakash Nayak


tags: oauth

About author

User Image
smrutiprakash3824

hi this is smruti , am from odisha. I am Technically sound in Java Programming and I am very much comfortable with Web Application Development. I have good knowledge on Spring framework, Web Services, Hibernate, Restful Services, oracle, MySQL, HTML, CSS, JavaScript, spring cloud ,microservices etc

5

-Comments

Be the first person to write a comment for this Blog
  • author image
    by:
      abhilesh
      10-5-2018 08:13:46 AM

    boss its nice blog thanks for sharing such kind of blog.please write a blog on swagger it will be helpful.

  • author image
    by:
      Pratik4551
      09-2-2018 03:55:34 AM

    It's really helpful, Thank's for sharing such kind of knowledge.

  • author image
    by:
      SuReSh001
      02-2-2018 03:35:16 PM

    It is very good Smruti .Thanks for sharing your knowledge with us

  • author image
    by:
      Pritam91
      31-1-2018 04:55:26 AM

    Smruti Many thanks for your assistance.I appreciate your taking trouble to helps us.

  • author image
    by:
      prakash705
      30-1-2018 06:57:22 PM

    Nice blog you have written. please wrote more blog which is going to helpful to us.

Load More

No More Comments

Leave a Comment

Your comment has been posted and will appear soon.